On-boarding 5g routers to private 5g network

ABSTRACT

Systems, methods, and computer-readable media are provided for on-boarding network devices onto a private 5G network. An example method can include discovering a first private 5G network upon the network device being turned on, authenticating, at the network device, the network device, downloading a second network profile from an SM-DP+ server of a second private 5G network, and on-boarding the network device to the second private 5G network.

DESCRIPTION OF THE RELATED TECHNOLOGY

The present technology pertains to on-boarding routers to 5G networksand more particularly to a non-operator centric approach for on-boardingrouters to private 5G networks.

BACKGROUND

Fifth generation (5G) mobile and wireless networks will provide enhancedmobile broadband communications and are intended to deliver a widerrange of services and applications as compared to all prior generationmobile and wireless networks. Compared to prior generations of mobileand wireless networks, the 5G architecture is service based, meaningthat wherever suitable, architecture elements are defined as networkfunctions that offer their services to other network functions viacommon framework interfaces. To support this wide range of services andnetwork functions across an ever-growing base of user equipment (UE), 5Gnetworks incorporate the network slicing concept utilized in previousgeneration architectures.

In some scenarios, these 5G networks may be private 5G networks.Currently, 5G networks utilize a mobile network operator (MNO) or amobile virtual network operator (MVNO) that is used for networkconnectivity and eSIM management services. Routers purchased for thispurpose are shipped with the respective MNO/MVNO's SIM card, such thatany future SIM management services need to be through the operator whoshares those SIM credentials. However, this model may not work forprivate 5G deployments.

BRIEF DESCRIPTION OF THE DRAWINGS

In order to describe the manner in which the above-recited and otheradvantages and features of the disclosure can be obtained, a moreparticular description of the principles briefly described above will berendered by reference to specific embodiments thereof which areillustrated in the appended drawings. Understanding that these drawingsdepict only exemplary embodiments of the disclosure and are nottherefore to be considered to be limiting of its scope, the principlesherein are described and explained with additional specificity anddetail through the use of the accompanying drawings in which:

FIG. 1A illustrates an example cloud computing architecture inaccordance with some examples of the disclosure.

FIG. 1B illustrates an example fog computing architecture in accordancewith some examples of the disclosure.

FIG. 2 depicts an exemplary schematic representation of a 5G networkenvironment in which network slicing has been implemented in accordancewith some examples of the disclosure.

FIG. 3 illustrates a workflow diagram having various modules that enableonboarding network devices to a private 5G network in accordance withsome examples of the disclosure.

FIG. 4 is a flowchart of a method for on-boarding a network device to aprivate 5G network in accordance with some examples of the disclosure.

FIG. 5 illustrates an example network device in accordance with someexamples of the disclosure.

DETAILED DESCRIPTION

Various embodiments of the disclosure are discussed in detail below.While specific implementations are discussed, it should be understoodthat this is done for illustration purposes only. A person skilled inthe relevant art will recognize that other components and configurationsmay be used without parting from the spirit and scope of the disclosure.Thus, the following description and drawings are illustrative and arenot to be construed as limiting. Numerous specific details are describedto provide a thorough understanding of the disclosure. However, incertain instances, well-known or conventional details are not describedin order to avoid obscuring the description. References to one or anembodiment in the present disclosure can be references to the sameembodiment or any embodiment; and, such references mean at least one ofthe embodiments.

Reference to “one embodiment” or “an embodiment” means that a particularfeature, structure, or characteristic described in connection with theembodiment is included in at least one embodiment of the disclosure. Theappearances of the phrase “in one embodiment” in various places in thespecification are not necessarily all referring to the same embodiment,nor are separate or alternative embodiments mutually exclusive of otherembodiments. Moreover, various features are described which may beexhibited by some embodiments and not by others.

The terms used in this specification generally have their ordinarymeanings in the art, within the context of the disclosure, and in thespecific context where each term is used. Alternative language andsynonyms may be used for any one or more of the terms discussed herein,and no special significance should be placed upon whether or not a termis elaborated or discussed herein. In some cases, synonyms for certainterms are provided. A recital of one or more synonyms does not excludethe use of other synonyms. The use of examples anywhere in thisspecification including examples of any terms discussed herein isillustrative only, and is not intended to further limit the scope andmeaning of the disclosure or of any example term. Likewise, thedisclosure is not limited to various embodiments given in thisspecification.

Without intent to limit the scope of the disclosure, examples ofinstruments, apparatus, methods and their related results according tothe embodiments of the present disclosure are given below. Note thattitles or subtitles may be used in the examples for convenience of areader, which in no way should limit the scope of the disclosure. Unlessotherwise defined, technical and scientific terms used herein have themeaning as commonly understood by one of ordinary skill in the art towhich this disclosure pertains. In the case of conflict, the presentdocument, including definitions will control.

Additional features and advantages of the disclosure will be set forthin the description which follows, and in part will be obvious from thedescription, or can be learned by practice of the herein disclosedprinciples. The features and advantages of the disclosure can berealized and obtained by means of the instruments and combinationsparticularly pointed out in the appended claims. These and otherfeatures of the disclosure will become more fully apparent from thefollowing description and appended claims, or can be learned by thepractice of the principles set forth herein.

Overview

In one aspect, a method of on-boarding a network device to a 5G networkcan include discovering a first private 5G network upon the networkdevice being turned on, authenticating, at the network device, thenetwork device over the first private 5G network, upon successfulauthentication of the network device over the first private 5G network,downloading a second network profile of a second private 5G network froma Subscription Management-Data Preparation (SM-DP)+ sever, andon-boarding the network device to the second private 5G network.

In another aspect, the network device is pre-configured with a firstnetwork profile and associated credentials corresponding to the firstprivate 5G network.

In another aspect, authenticating the network device includesdetermining whether a Public Land Mobile Network ID (PLMNID) included inthe first network profile matches a PLMNID of the first private 5Gnetwork.

In another aspect, the method can also include disabling the firstnetwork profile.

In another aspect, the method can also include performing, by thenetwork device, a Domain Name Server (DNS) Resolution on a fullyqualified domain name (FQDN) of the SM-DP+ server to find an InternetProtocol (IP) address of the SM-DP+ server.

In another aspect, on-boarding the network device to the second private5G network includes receiving the second network profile and associatedcredentials for the second private 5G network from the SM-DP+ server.

In another aspect, on-boarding the network device to the second private5G network includes sending the associated credentials for the secondprivate 5G network to an ISE/UDM component of the second private 5Gnetwork.

In one aspect, a network device can include a transceiver, a processorconfigured to execute instructions and cause the processor to discover afirst private 5G network upon the network device be turned on,authenticate, at the network device, the network device over the firstprivate 5G network, upon successful authentication of the network deviceover the first private 5G network, download a second network profile ofa second private 5G network from a Subscription Management-DataPreparation (SM-DP)+ server, and on-board the network device on thesecond private 5G network.

In one aspect, a non-transitory computer-readable storage medium havingstored therein instructions which, when executed by a processor, causethe processor to discover a first private 5G network upon the networkdevice be turned on, authenticate, at the network device, the networkdevice over the first private 5G network, upon successful authenticationof the network device over the first private 5G network, download asecond network profile of a second private 5G network from aSubscription Management-Data Preparation (SM-DP)+ server, and on-boardthe network device on the second private 5G network.

EXAMPLE EMBODIMENTS

The mobile industry is transitioning from physical Subscriber IdentityModule (SIM) cards to Software SIMs. GSMA has defined the eSIM solution,with protocols for downloading SIM profiles to an embedded, programmableSIM card (eUICC) in the device. The Groupe Speciale Mobile Association(GSMA) that represents the interest of mobile operators has a Remote SIMProvisioning architecture that allows provisioning of multiple profilesinto Embedded Universal Integrated Circuit Cards (eUICCs) and for thelifecycle management of the profiles. Each profile comprises of theoperator data related to a subscription, including the operator'scredentials.

As per the workflow defined in GSMA's Remote SIM Provisioningspecifications, eSIM profiles are typically owned and managed by theService Provider. A new device from the manufacturing house comes with apre-loaded bootstrapping profile, which allows only that specificoperator associated with that bootstrapping profile to add/delete neweSIM profiles onto the eUICC. Any time a new eSIM profile needs to bedownloaded, the mobile user needs to reach out to the operator and havethem securely package the profile and deliver it to the eUICC overSubscription Management-Data Preparation (SM-DP)+ interface. Thisapproach of operator-centric model will work for mobile devices wherethere is always public network subscription but is not a feasible optionfor devices that will operate in a private environment (e.g., in aprivate cellular network).

Telecommunication and networking device manufacturers such as Cisco,Inc. of San Jose, Calif., sell 5G routers with cellular-based WANinterfaces. For example, when a customer orders a router with 5Gcapabilities, the customer must select a mobile network operator (MNO)or a mobile virtual network operator (MVNO), which the customer will usefor their network connectivity and eSIM management services. Themanufacturer configures the router with the specified MNO and/or MVNO'sSIM card and then ships the router to the customer. Any future SIMmanagement services have to be through the operator who shares those SIMcredentials.

This model, however, will not work for private 5G network deployments.For example, in some scenarios, the router may be always and onlyconnected to a private 5G network and never connects to a MNO's publicnetwork. For example, a mining company may have large mining fieldswhere they operate a private network for connectivity, because there areno public networks in the vicinity. A router in a truck with telemetricequipment can be connected to the private network.

To summarize, current operator centric techniques and approaches foreSIM management are insufficient/inadequate for use in private cellularnetwork environments, for the following reasons.

First, Routers integrate a High Speed Wan Interface Card (HWIC) modulefor cellular capabilities. The HWIC module has the 5G MODEM, eUICC and aLocal Profile Assistant (LPA) agent. The router has no visibility orcontrol on the eUICC device from the router console. For all practicalpurposes, the 5G module with MODEM and eUICC appears as an externaldevice to the router, leaving no control from the router console toeUICC device. The access to SM-DP+ server has to be through the 5GMODEM, and not through any other network interfaces of the router. As aresult, a new router from box has to first connect to a 5G network forit to obtain a new network profile. But, when there is no publicnetwork, and/or a subscription to a public network, the router cannotways to reach the SM-DP+ server.

Second, It is not possible for a device manufacturer to configure a eSIMprofile associated with a customer's private network because informationon Public Land Mobile Network Identifier (PLMNID) of the customer'sprivate network and/or SIM credentials to be used for that customer, areunknown to the device manufacturer.

Third, there is no trigger for the LPA to reach the SM-DP+ server for anew profile. If there is some form of network connectivity and SMSsupport, a text message would have acted as a trigger to reach theSM-DP+ for a new profile.

In view of these deficiencies, there is a need for an efficient systemand process where the customer can power on the device and be able toon-board the device securely and efficiently to a private network, evenin the absence of a public network. This ability to on-board the deviceto their private network without requiring the eSIM services of aMVNO/MNO is important for enabling 5G WAN router deployments in privatenetworks.

The disclosed technology addresses the need in the art for systems andprocesses for enabling onboarding of routers onto private 5G networkswithout requiring eSIM services of a MVNO/MNO. The example approachesand processes described below may be referred to as a non-operatorcentric and/or zero-touch approach or process for onboarding 5G routersand eSIM management.

A description of network environments and architectures for network dataaccess and services, as illustrated in FIGS. 1A, 1B, and 2 is firstdisclosed herein. A discussion of systems, methods, andcomputer-readable medium for on-boarding network devices to a private 5Gnetwork, as shown in FIGS. 3-4 , will then follow. The discussion thenconcludes with a brief description of example devices, as illustrated in5. These variations shall be described herein as the various embodimentsare set forth. The disclosure now turns to FIG. 1A.

FIG. 1A illustrates a diagram of an example cloud computing architecture100. The architecture can include a cloud 102. The cloud 102 can be usedto form part of a TCP connection or otherwise be accessed through theTCP connection. Specifically, the cloud 102 can include an initiator ora receiver of a TCP connection and be utilized by the initiator or thereceiver to transmit and/or receive data through the TCP connection. Thecloud 102 can include one or more private clouds, public clouds, and/orhybrid clouds. Moreover, the cloud 102 can include cloud elements104-114. The cloud elements 104-114 can include, for example, servers104, virtual machines (VMs) 106, one or more software platforms 108,applications or services 110, software containers 112, andinfrastructure nodes 114. The infrastructure nodes 114 can includevarious types of nodes, such as compute nodes, storage nodes, networknodes, management systems, etc.

The cloud 102 can be used to provide various cloud computing servicesvia the cloud elements 104-114, such as SaaSs (e.g., collaborationservices, email services, enterprise resource planning services, contentservices, communication services, etc.), infrastructure as a service(IaaS) (e.g., security services, networking services, systems managementservices, etc.), platform as a service (PaaS) (e.g., web services,streaming services, application development services, etc.), and othertypes of services such as desktop as a service (DaaS), informationtechnology management as a service (ITaaS), managed software as aservice (MSaaS), mobile backend as a service (MBaaS), etc.

The client endpoints 116 can connect with the cloud 102 to obtain one ormore specific services from the cloud 102. The client endpoints 116 cancommunicate with elements 104-114 via one or more public networks (e.g.,Internet), private networks, and/or hybrid networks (e.g., virtualprivate network). The client endpoints 116 can include any device withnetworking capabilities, such as a laptop computer, a tablet computer, aserver, a desktop computer, a smartphone, a network device (e.g., anaccess point, a router, a switch, etc.), a smart television, a smartcar, a sensor, a GPS device, a game system, a smart wearable object(e.g., smartwatch, etc.), a consumer object (e.g., Internetrefrigerator, smart lighting system, etc.), a city or transportationsystem (e.g., traffic control, toll collection system, etc.), aninternet of things (IoT) device, a camera, a network printer, atransportation system (e.g., airplane, train, motorcycle, boat, etc.),or any smart or connected object (e.g., smart home, smart building,smart retail, smart glasses, etc.), and so forth.

FIG. 1B illustrates a diagram of an example fog computing architecture150. The fog computing architecture can be used to form part of a TCPconnection or otherwise be accessed through the TCP connection.Specifically, the fog computing architecture can include an initiator ora receiver of a TCP connection and be utilized by the initiator or thereceiver to transmit and/or receive data through the TCP connection. Thefog computing architecture 150 can include the cloud layer 154, whichincludes the cloud 102 and any other cloud system or environment, andthe fog layer 156, which includes fog nodes 162. The client endpoints116 can communicate with the cloud layer 154 and/or the fog layer 156.The architecture 150 can include one or more communication links 152between the cloud layer 154, the fog layer 156, and the client endpoints116. Communications can flow up to the cloud layer 154 and/or down tothe client endpoints 116.

The fog layer 156 or “the fog” provides the computation, storage andnetworking capabilities of traditional cloud networks, but closer to theendpoints. The fog can thus extend the cloud 102 to be closer to theclient endpoints 116. The fog nodes 162 can be the physicalimplementation of fog networks. Moreover, the fog nodes 162 can providelocal or regional services and/or connectivity to the client endpoints116. As a result, traffic and/or data can be offloaded from the cloud102 to the fog layer 156 (e.g., via fog nodes 162). The fog layer 156can thus provide faster services and/or connectivity to the clientendpoints 116, with lower latency, as well as other advantages such assecurity benefits from keeping the data inside the local or regionalnetwork(s).

The fog nodes 162 can include any networked computing devices, such asservers, switches, routers, controllers, cameras, access points,gateways, etc. Moreover, the fog nodes 162 can be deployed anywhere witha network connection, such as a factory floor, a power pole, alongside arailway track, in a vehicle, on an oil rig, in an airport, on anaircraft, in a shopping center, in a hospital, in a park, in a parkinggarage, in a library, etc.

In some configurations, one or more fog nodes 162 can be deployed withinfog instances 158, 160. The fog instances 158, 158 can be local orregional clouds or networks. For example, the fog instances 156, 158 canbe a regional cloud or data center, a local area network, a network offog nodes 162, etc. In some configurations, one or more fog nodes 162can be deployed within a network, or as standalone or individual nodes,for example. Moreover, one or more of the fog nodes 162 can beinterconnected with each other via links 164 in various topologies,including star, ring, mesh or hierarchical arrangements, for example.

In some cases, one or more fog nodes 162 can be mobile fog nodes. Themobile fog nodes can move to different geographic locations, logicallocations or networks, and/or fog instances while maintainingconnectivity with the cloud layer 154 and/or the endpoints 116. Forexample, a particular fog node can be placed in a vehicle, such as anaircraft or train, which can travel from one geographic location and/orlogical location to a different geographic location and/or logicallocation. In this example, the particular fog node may connect to aparticular physical and/or logical connection point with the cloud 154while located at the starting location and switch to a differentphysical and/or logical connection point with the cloud 154 whilelocated at the destination location. The particular fog node can thusmove within particular clouds and/or fog instances and, therefore, serveendpoints from different locations at different times.

FIG. 2 depicts an exemplary schematic representation of a 5G networkenvironment 200 in which network slicing has been implemented, and inwhich one or more aspects of the present disclosure may operate. Asillustrated, network environment 200 is divided into four domains, eachof which will be explained in greater depth below; a User Equipment (UE)domain 210, e.g. of one or more enterprise, in which a plurality of usercellphones or other connected devices 212 reside; a Radio Access Network(RAN) domain 220, in which a plurality of radio cells, base stations,towers, or other radio infrastructure 222 resides; a Core Network 230,in which a plurality of Network Functions (NFs) 232, 234, . . . , nreside; and a Data Network 240, in which one or more data communicationnetworks such as the Internet 242 reside. Additionally, the Data Network240 can support SaaS providers configured to provide SaaSs toenterprises, e.g. to users in the UE domain 210.

Core Network 230 contains a plurality of Network Functions (NFs), shownhere as NF 232, NF 234 . . . NF n. In some embodiments, core network 230is a 5G core network (5GC) in accordance with one or more accepted 5GCarchitectures or designs. In some embodiments, core network 230 is anEvolved Packet Core (EPC) network, which combines aspects of the 5GCwith existing 4G networks. Regardless of the particular design of corenetwork 230, the plurality of NFs typically execute in a control planeof core network 230, providing a service based architecture in which agiven NF allows any other authorized NFs to access its services. Forexample, a Session Management Function (SMF) controls sessionestablishment, modification, release, etc., and in the course of doingso, provides other NFs with access to these constituent SMF services.

In some embodiments, the plurality of NFs of core network 230 caninclude one or more Access and Mobility Management Functions (AMF;typically used when core network 230 is a 5GC network) and MobilityManagement Entities (MME; typically used when core network 230 is an EPCnetwork), collectively referred to herein as an AMF/MME for purposes ofsimplicity and clarity. In some embodiments, an AMF/MME can be common toor otherwise shared by multiple slices of the plurality of networkslices 252, and in some embodiments an AMF/MME can be unique to a singleone of the plurality of network slices 252.

The same is true of the remaining NFs of core network 230, which can beshared amongst one or more network slices or provided as a uniqueinstance specific to a single one of the plurality of network slices252. In addition to NFs comprising an AMF/MME as discussed above, theplurality of NFs of the core network 230 can additionally include one ormore of the following: User Plane Functions (UPFs); Policy ControlFunctions (PCFs); Authentication Server Functions (AUSFs); Unified DataManagement functions (UDMs); Application Functions (AFs); NetworkExposure Functions (NEFs); NF Repository Functions (NRFs); and NetworkSlice Selection Functions (NSSFs). Various other NFs can be providedwithout departing from the scope of the present disclosure, as would beappreciated by one of ordinary skill in the art.

Across these four domains of the 5G network environment 200, an overalloperator network domain 250 is defined. The operator network domain 250is in some embodiments a Public Land Mobile Network (PLMN), and can bethought of as the carrier or business entity that provides cellularservice to the end users in UE domain 210. Within the operator networkdomain 250, a plurality of network slices 252 are created, defined, orotherwise provisioned in order to deliver a desired set of definedfeatures and functionalities, e.g. SaaSs, for a certain use case orcorresponding to other requirements or specifications. Note that networkslicing for the plurality of network slices 252 is implemented inend-to-end fashion, spanning multiple disparate technical andadministrative domains, including management and orchestration planes(not shown). In other words, network slicing is performed from at leastthe enterprise or subscriber edge at UE domain 210, through the RadioAccess Network (RAN) 120, through the 5G access edge and the 5G corenetwork 230, and to the data network 240. Moreover, note that thisnetwork slicing may span multiple different 5G providers.

For example, as shown here, the plurality of network slices 252 includeSlice 1, which corresponds to smartphone subscribers of the 5G providerwho also operates network domain, and Slice 2, which corresponds tosmartphone subscribers of a virtual 5G provider leasing capacity fromthe actual operator of network domain 250. Also shown is Slice 3, whichcan be provided for a fleet of connected vehicles, and Slice 4, whichcan be provided for an IoT goods or container tracking system across afactory network or supply chain. Note that these network slices 252 areprovided for purposes of illustration, and in accordance with thepresent disclosure, and the operator network domain 250 can implementany number of network slices as needed, and can implement these networkslices for purposes, use cases, or subsets of users and user equipmentin addition to those listed above. Specifically, the operator networkdomain 250 can implement any number of network slices for provisioningSaaSs from SaaS providers to one or more enterprises.

5G mobile and wireless networks will provide enhanced mobile broadbandcommunications and are intended to deliver a wider range of services andapplications as compared to all prior generation mobile and wirelessnetworks. Compared to prior generations of mobile and wireless networks,the 5G architecture is service based, meaning that wherever suitable,architecture elements are defined as network functions that offer theirservices to other network functions via common framework interfaces. Inorder to support this wide range of services and network functionsacross an ever-growing base of user equipment (UE), 5G networksincorporate the network slicing concept utilized in previous generationarchitectures.

Within the scope of the 5G mobile and wireless network architecture, anetwork slice comprises a set of defined features and functionalitiesthat together form a complete Public Land Mobile Network (PLMN) forproviding services to UEs. This network slicing permits for thecontrolled composition of a PLMN with the specific network functions andprovided services that are required for a specific usage scenario. Inother words, network slicing enables a 5G network operator to deploymultiple, independent PLMNs where each is customized by instantiatingonly those features, capabilities and services required to satisfy agiven subset of the UEs or a related business customer needs.

In particular, network slicing is expected to play a critical role in 5Gnetworks because of the multitude of use cases and new services 5G iscapable of supporting. Network service provisioning through networkslices is typically initiated when an enterprise requests network sliceswhen registering with AMF/MME for a 5G network. At the time ofregistration, the enterprise will typically ask the AMF/MME forcharacteristics of network slices, such as slice bandwidth, slicelatency, processing power, and slice resiliency associated with thenetwork slices. These network slice characteristics can be used inensuring that assigned network slices are capable of actuallyprovisioning specific services, e.g. based on requirements of theservices, to the enterprise.

With example network systems and architectures described above withreference to FIGS. 1A, 1B and 2 , example embodiments of a non-operatorcentric and/or zero-touch approach or process for onboarding 5G routersand eSIM management, will be described with reference to FIGS. 3 and 4 .

FIG. 3 illustrates a workflow diagram having various modules that enableonboarding network devices to a private 5G network.

FIG. 3 is described with reference to various device and/or networkcomponents utilized for providing a non-operator centric/zero-touchapproach, each of which is introduced, described with reference to theirrespective functionalities.

eUICC 302 is configured to store multiple network profiles that can beprovisioned and managed. eUICC 302 can also include a default networkprofile with a PLMN ID that can be registered to a manufacturer of therouter. Additionally, eUICC can include a network ID (NID), aninternational mobile subscriber identity (IMSI), and other parametersgenerated unique to the router or a group of routers. The defaultnetwork profile can be an onboarding profile and/or a provisioningprofile. Additionally, eUICC 302 can include an eUICC application thatis configured to detect a network configured in the default profile and,after successful authentication and PDU creation, trigger a new profiledownload from a SM-DP+.

LPA 304 is a set of functionalities that provides local control of eUICC302 to allow for downloading, removing, and/or switching betweenprofiles. LPA 304 can also present local management end user interfaceto an end user so that the end user can manage the status of profiles oneUICC 302. In some examples, the functions of LPA 304 can be built intoeUICC 302.

UE 306 can be any user equipment device including, but not limited tomobile devices, laptops, routers, and/or any other type of known or tobe developed connected devices such as client endpoints 116 of FIGS. 1Aand 1B, UE 212, etc. UE 306 can include eUICC 302 and LPA 304. Forexample, a router can include eUICC 302 and LPA 304. In someembodiments, the router can be embedded with a cellular modem andincludes eUICC 302, LPA 304, and UE 306 in the form of the modem.

Next Generation NodeB, gNodeB, or gNB 308 is a radio node that allows 5GUEs, such as UE 306, to connect to a 5G core network, such as 5G-CoreNetwork (5G-CN) 310. gNB 308 can be configured to provide 5G user planeand control plane terminations towards UE 306. gNB 308 more broadly maybe referred to as base station 308.

5G-CN 310 can be a core network like core network 230 discussed abovewith respect to FIG. 2 . In some embodiments, the onboarding profile forthe router is activated based on a select set of gNBs 308. For example,on the slice and/or Data Network Names (DNNs) associated with thisPLMNID, security policies could be configured to permit traffic only toSM-DP+.

Authentication Server Function (AUSF) and/or Unified Data Management(UDM) 312 is configured to authenticate UE 306 on 5G-CN 310, storage andmanagement of UE 306 identities, retrieve Access based information orrestrictions on a per-user basis, etc.

Identity Service Engine (ISE) 314 is configured to create and enforcesecurity and access policies for devices connected to 5G-CN 310. ISE 314simplifies identity management across various devices and applications.ISE 314 can be any known or to be developed component configured toimplement enterprise policy function.

Subscription Manager Data Preparation Platform (SM-DP+) 316 isresponsible for the creation, download, remote management (e.g., enable,disable, update, delete) and the protection of credentials (e.g.,profiles).

FIG. 3 additionally illustrates a workflow for onboarding a router ontoa private 5G network according to the non-operator centric andzero-touch based techniques of the present disclosure. Although theworkflow depicts a particular sequence of operations, the sequence maybe altered without departing from the scope of the present disclosure.For example, some of the operations depicted may be performed inparallel or in a different sequence that does not materially affect thefunction of processes of FIG. 3 . In other examples, differentcomponents of an example device or system that implements the workflowmay perform functions at substantially the same time or in a specificsequence.

A manufacturer can register for a PLMNID to be used for UE 306on-boarding to private 5G networks. This PLMNID can be used, or a NIDspace may be carved out from this PLMNI for creating additional private5G networks under this PLMNID.

UE 306 can be a router with an embedded cellular modem including eUICC302 and LPA 304 in the form of the modem. While being manufactured, UE306 can be manufactured to include a default profile with a PLMNIDregistered to the manufacturer, with a NID, IMSI, and other parametersgenerated unique to that UE 306 or group of UE 306. In other words, atthe time of manufacturing, the manufacturer can provision eUICC 302 withan eSIM profile that is generated for that UE 306. The profile will usethe PLMNID registered by the manufacturer and optionally a specific NIDin conjunction with the PLMNID, which will serve as a networkidentifier. A unique set of SIM credentials can be generated for eachrouter or to a batch of routers. At this stage, the only profile thatwill be active in the router will be this generated profile.Additionally, a manufacturer eUICC application can be installed on aeUICC device. The device may be eUICC 302, LPA 304, and/or a 5G modemwhere there is visibility of successful authentication of UE 306 to5G-CN 310. This application can host a simple logic where, on detectingthe network configured in the default provisioning profile in eUICC 302,and after a successful authentication and PDU creation, eUICC willtrigger a new profile download from SM-DP+ 316.

In some instances, customers can order devices such as UE 306 and select“private use” or “none” when prompted for a carrier option. Themanufacturer can then ship UE 306 with provisioned eUICC 302 asdescribed. The customer can then receive the router and the eSIM profilethat is stored in the eUICC device. The customer can then on-board theeSIM profile and associated credentials into UDM 312 or home subscriberservice (HSS) infrastructure supporting their private 5G network (e.g.,5G-CN 310). In some examples, this process can be automated through anenterprise domain controller, such as Cisco's DNA Center.

To on-board UE 306 onto a private 5G network, a user can activate thedefault profile (e.g., the on-boarding profile). Additionally, anonboarding profile is activated on a select set of gNBs 308. On theslice/DNNs associated with this PLMNID, a security policy can be enabledsuch that the security policy only permits traffic to SM-DP+ 316. Thus,one or more gNBs 308 in a staging area will be supporting this privatenetwork profile with the provisioning PLMNID. Therefore, gNBs 308 willbe advertising the provisioning PLMNID and optionally an associated NID.The services supported on this PLMNID can be limited. Additionally, anynetwork slices/DNN's associated with this PLMNID will have reachabilityonly to their SM-DP+ server. The purpose of the PLMNID is to reach theSM-DP+ server. In some examples, the private network (e.g., 5G-CN 310)hosting the provisioning network will also host its own private networkwith its own PLMNID. Furthermore, ISE 314 can facilitate onboarding therouter based on default credentials associated with the default profile.

At step 350, UE 306 discovers 5G-CN 310. For example, UE 306 can connectto gNB 308 when UE 306 is connected to the network and turned on. Asanother more specific example, UE 306 can complete Radio ResourceControl (RRC) connection with the provisioning network, with the PLMNIDor PLMNID/PID as configured in the profile installed in eUICC 302 asdescribed above.

At step 355, UE 306 is registered on 5G-CN 310 and is authenticated by5G-CN 310 via AUSF/UDM 312. More specifically, UE 306 is registered onand authenticated by 5G-CN via AUSF/UDM 312 based on the credentialsassociated with the default profile. Additionally, UE 306 canresponsively create a PDU session.

At step 360, ISE 314 triggers SM-DP+ server 316 to generate a newprofile. More specifically, after a successful authentication of UE 306to the provisioning network, the packet core and/or the enterprisepolicy function will trigger SM-DP+ 316 to generate a new profilepackage and/or select a predefined profile package for UE 306, either ofwhich are specific to the customer's private network (e.g., 5G-CN 310).

Accordingly, SM-DP+ 316 will generate a new profile for UE 306 and keepthe new profile ready for download. SM-DP+ 316 will also on-board thecustomer's private network credentials to UDM 312 and can additionallyconfigure the policy in the enterprise policy system. The new profilecan also include the PLMNID of the private network.

At step 365, the enterprise policy system of 5G-CN 310 can fetch the newprofile for UE 306. Additionally, ISE 314 notifies UE 306 to fetch a newprofile from SM-DP+ 316. As part of the PDU establishment at step 365,5G-CN 310 can optionally deliver the IP address or the fully qualifieddomain name (FQDN) of an address of SM-DP+ 316. The 5G modem can updateLPA 304 with the new FQDN/IP address of the SM-DP+ server. Additionallyor alternatively, LPA 304 can be configured with a default FQDNassociated with an SM-DP+ of the manufacturer. It is further consideredthat 5G-CN 310 can also trigger LPA 304 to fetch the new profile.

At step 370, UE 306 triggers LPA 304 to get the new profile. In someexamples, the successful authentication to 5G-CN 310 can directly resultin eUICC activating the application configured in eUICC 302. Forexample, when a router is attached to the provisioning network matchingthe PLMNID in the eUICC's default provisioning profile, the routertriggers eUICC 302, via LPA 304, to reach SM-DP+ and download a new eSIMprofile for the new private network.

At step 375, SM-DP+ 316 authorizes eUICC 302 to fetch the new profile.

At step 380, LPA 304 downloads the new profile. For example, LPA 304 canestablish a transport layer security (TLS) connection to SM-DP+ 316 anddownloads the new profile over the TLS connection.

At step 385, eUICC 302 disables the default profile. In some examples,if eUICC 302 is unable to obtain a new profile package, eUICC 302 cankeep the default eSIM profile active.

At step 390, eUICC 302 activates the new private 5G network profile.

At step 395, UE 306 completes registration onto 5G-CN 310 and isauthenticated by 5G-CN 310 via AUSF/UDM 312. For example, on re-attachor reboot, the router will discover the new private network and willcomplete the authentication to its new network.

FIG. 4 illustrates an example method 400 for on-boarding a router onto aprivate 5G network. Although the example method 400 depicts a particularsequence of operations, the sequence may be altered without departingfrom the scope of the present disclosure. For example, some of theoperations depicted may be performed in parallel or in a differentsequence that does not materially affect the function of the method 400.In other examples, different components of an example device or systemthat implements the method 400 may perform functions at substantiallythe same time or in a specific sequence. Steps of FIG. 4 will bedescribed from the perspective of UE 306 of FIG. 3 .

According to some examples, the method includes discovering a firstprivate 5G network upon the network device being turned on at step 410.For example, the UE 306 illustrated in FIG. 3 may discover a firstprivate 5G network upon the network device be turned on. In someexamples, the network device is pre-configured with a first networkprofile and associated credentials corresponding to the first private 5Gnetwork. For example, example process 400 at step 410 may be the same asstep 350 described above with reference to FIG. 3 .

According to some examples, the method includes authenticating, at thenetwork device, the network device at step 420. For example, the UE 306illustrated in FIG. 3 may authenticate, at the network device, thenetwork device. In some examples, authenticating the network deviceincludes determining whether a PLMNID included in the first networkprofile matches a PLMNID of the first private 5G network. For example,example process 400 at step 420 may be the same as step 355 describedabove with reference to FIG. 3 .

According to some examples, the method includes performing, by thenetwork device, a Domain Name Server (DNS) Resolution of a FQDN of theSM-DP+ server to find an Internet Protocol (IP) address of the SM-DP+server. For example, UE 306 illustrated in FIG. 3 may perform a DNSresolution of the FQDN of the SM-DP+ server to find an IP address of theSM-DP+ server. For example, example process 400 at step 430 may be thesame step as 365.

According to some examples, the method includes downloading a secondnetwork profile from an SM-DP+ server of a second private 5G network atstep 440. For example, the

LPA 304 illustrated in FIG. 3 may download a second network profile froman SM-DP+ server of a second private 5G network. In some examples,downloading the second network profile is responsive to determining thata PLMNID in the first network profile matches a PLMNID of the firstprivate 5G network. For example, example process 400 at step 440 may bethe same as step 380 described above with reference to FIG. 3 .

According to some examples, the method includes on-boarding the networkdevice to the second private 5G network at step 450. For example, the UE306 illustrated in FIG. 3 may on-board the network device to the secondprivate 5G network. In some examples, on-boarding the network device tothe second private 5G network includes receiving the second networkprofile and associated credentials for the second private 5G networkfrom the SM-DP+ server. In some examples, on-boarding the network deviceto the second private 5G network includes sending the associatedcredentials for the second private 5G network to an ISE/UDM component ofthe second private 5G network. For example, example process 400 at step450 may be the same as steps 390 and/or 395 described above withreference to FIG. 3 .

According to some examples, the method includes disabling the firstnetwork profile at step 460. For example, the eUICC 302 illustrated inFIG. 3 may disable the first network profile. For example, exampleprocess 400 at step 460 may be the same as step 385 described above withreference to FIG. 3 .

FIG. 5 illustrates an example network device 500 suitable for performingswitching, routing, load balancing, and other networking operations. Theexample network device 500 can be implemented as switches, routers,nodes, metadata servers, load balancers, client devices, and so forth.

Network device 500 includes a central processing unit (CPU) 504,interfaces 502, and a bus 510 (e.g., a PCI bus). When acting under thecontrol of appropriate software or firmware, the CPU 504 is responsiblefor executing packet management, error detection, and/or routingfunctions. The CPU 504 preferably accomplishes all these functions underthe control of software including an operating system and anyappropriate applications software. CPU 504 may include one or moreprocessors 508, such as a processor from the INTEL X86 family ofmicroprocessors. In some cases, processor 508 can be specially designedhardware for controlling the operations of network device 500. In somecases, a memory 506 (e.g., non-volatile RAM, ROM, etc.) also forms partof CPU 504. However, there are many different ways in which memory couldbe coupled to the system.

The interfaces 502 are typically provided as modular interface cards(sometimes referred to as “line cards”). Generally, they control thesending and receiving of data packets over the network and sometimessupport other peripherals used with the network device 500. Among theinterfaces that may be provided are Ethernet interfaces, frame relayinterfaces, cable interfaces, DSL interfaces, token ring interfaces, andthe like. In addition, various very high-speed interfaces may beprovided such as fast token ring interfaces, wireless interfaces,Ethernet interfaces, Gigabit Ethernet interfaces, ATM interfaces, HSSIinterfaces, POS interfaces, FDDI interfaces, WIFI interfaces, 3G/4G/5Gcellular interfaces, CAN BUS, LoRA, and the like. Generally, theseinterfaces may include ports appropriate for communication with theappropriate media. In some cases, they may also include an independentprocessor and, in some instances, volatile RAM. The independentprocessors may control such communications intensive tasks as packetswitching, media control, signal processing, crypto processing, andmanagement. By providing separate processors for the communicationintensive tasks, these interfaces allow the master CPU (e.g., 504) toefficiently perform routing computations, network diagnostics, securityfunctions, etc.

Although the system shown in FIG. 5 is one specific network device ofthe present disclosure, it is by no means the only network devicearchitecture on which the present disclosure can be implemented. Forexample, an architecture having a single processor that handlescommunications as well as routing computations, etc., is often used.Further, other types of interfaces and media could also be used with thenetwork device 500.

Regardless of the network device's configuration, it may employ one ormore memories or memory modules (including memory 506) configured tostore program instructions for the general-purpose network operationsand mechanisms for roaming, route optimization and routing functionsdescribed herein. The program instructions may control the operation ofan operating system and/or one or more applications, for example. Thememory or memories may also be configured to store tables such asmobility binding, registration, and association tables, etc. Memory 506could also hold various software containers and virtualized executionenvironments and data.

The network device 500 can also include an application-specificintegrated circuit (ASIC), which can be configured to perform routingand/or switching operations. The ASIC can communicate with othercomponents in the network device 500 via the bus 510, to exchange dataand signals and coordinate various types of operations by the networkdevice 500, such as routing, switching, and/or data storage operations,for example.

What is claimed is:
 1. A method of on-boarding a network device to a 5Gnetwork, the method comprising: discovering a first private 5G networkupon the network device being turned on; authenticating, at the networkdevice, the network device over the first private 5G network; uponsuccessful authentication of the network device over the first private5G network, downloading a second network profile of a second private 5Gnetwork from a Subscription Management-Data Preparation (SM-DP)+ server;and on-boarding the network device to the second private 5G network. 2.The method of claim 1, wherein the network device is pre-configured witha first network profile and associated credentials corresponding to thefirst private 5G network.
 3. The method of claim 2, whereinauthenticating the network device includes determining whether a PublicLand Mobile Network ID (PLMNID) included in the first network profilematches a PLMNID of the first private 5G network.
 4. The method of claim2, further comprising: disabling the first network profile.
 5. Themethod of claim 1, further comprising: performing, by the networkdevice, a Domain Name Server (DNS) Resolution on a fully qualifieddomain name (FQDN) of the SM-DP+ server to find an Internet Protocol(IP) address of the SM-DP+ server.
 6. The method of claim 1, whereinon-boarding the network device to the second private 5G network includesreceiving the second network profile and associated credentials for thesecond private 5G network from the SM-DP+ server.
 7. The method of claim1, wherein on-boarding the network device to the second private 5Gnetwork includes sending the associated credentials for the secondprivate 5G network to an ISE/UDM component of the second private 5Gnetwork.
 8. A network device comprising: a transceiver; a processorconfigured to execute instructions and cause the processor to: discovera first private 5G network upon the network device be turned on,authenticate, at the network device, the network device over the firstprivate 5G network, upon successful authentication of the network deviceover the first private 5G network, download a second network profile ofa second private 5G network from a Subscription Management-DataPreparation (SM-DP)+ server, and on-board the network device to thesecond private 5G network.
 9. The network device of claim 8, the networkdevice is pre-configured with a first network profile and associatedcredentials corresponding to the first private 5G network.
 10. Thenetwork device of claim 9, authenticating the network device includesdetermining whether a Public Land Mobile Network ID (PLMNID) included inthe first network profile matches a PLMNID of the first private 5Gnetwork.
 11. The network device of claim 9, wherein the instructionsfurther cause the processor to: disable the first network profile. 12.The network device of claim 8, wherein the instructions further causethe processor to: perform, by the network device, a Domain Name Server(DNS) Resolution on a fully qualified domain name (FQDN) of the SM-DP+server to find an Internet Protocol (IP) address of the SM-DP+ server.13. The network device of claim 8, on-boarding the network device to thesecond private 5G network includes receiving the second network profileand associated credentials for the second private 5G network from theSM-DP+ server.
 14. The network device of claim 8, on-boarding thenetwork device to the second private 5G network includes sending theassociated credentials for the second private 5G network to an ISE/UDMcomponent of the second private 5G network.
 15. A non-transitorycomputer readable medium comprising instructions, the instructions, whenexecuted by a computing system, cause the computing system to: discovera first private 5G network upon the network device be turned on;authenticate, at the network device, the network device over the firstprivate 5G network; upon successful authentication of the network deviceover the first private 5G network, download a second network profile ofa second private 5G network from a Subscription Management-DataPreparation (SM-DP)+ server; and on-board the network device to thesecond private 5G network.
 16. The computer readable medium of claim 15,the network device is pre-configured with a first network profile andassociated credentials corresponding to the first private 5G network.17. The computer readable medium of claim 16, authenticating the networkdevice includes determining whether a Public Land Mobile Network ID(PLMNID) included in the first network profile matches a PLMNID of thefirst private 5G network.
 18. The computer readable medium of claim 16,wherein the instructions, when executed by the computing system, furthercause the computing system to: disable the first network profile. 19.The computer readable medium of claim 15, wherein the instructions, whenexecuted by the computing system, further cause the computing system to:perform, by the network device, a Domain Name Server (DNS) Resolution ona fully qualified domain name (FQDN) of the SM-DP+ server to find anInternet Protocol (IP) address of the SM-DP+ server.
 20. The computerreadable medium of claim 15, on-boarding the network device to thesecond private 5G network includes receiving the second network profileand associated credentials for the second private 5G network from theSM-DP+ server.